More from the Lower Merion School District.

23 February 2010

A couple of days ago word hit the newswires that a high school in Philadelphia, Pennsylvania had been using the laptops issued to its students to spy on them. Word's gotten around (no surprise there), and the BBC was the first to throw the 'potentially undressed minors' flag (and rightly so, in this case). The district has claimed that the spycam feature of the monitoring software was only for the purpose of recovering lost or stolen laptops and says that they deactivated the software remotely. If you've been paying attention to this story I don't have to tell you that this is an outright lie, because the district contacted the parents of student Blake Robbins to send them a disciplinary report and included a copy of the photograph of Blake holding what was later determined to be a piece of candy. Unless the Jedi Mind Trick is employed, that doesn't sound like laptop recovery to me. Plus, even if the parents sign off on it, it's still unconstitutional for a government entity (like a school) to engage in surveillance.
Interestingly, someone claiming to be a recent graduate from the school district commented on an article run by Ars Technica in which he confirmed the model of laptops issued by Lower Merion and stated that it was not uncommon for the "Hi, I'm recording now!" LEDs near the webcams to flicker on from time to time. It seems that some clueful students interpreted this correctly and blacked out the cameras with pieces of tape, band-aids, or similar materials just in case. What I find disturbing (yet not all that surprising) is that many of the other students at the Lower Merion high school aren't bothered in the least that someone might be watching them. They seem to believe the school that the surveillance capabilities are only used to recover missing equipment when, in fact, the evidence strongly suggests the contrary. One senior was quoted as saying "It an invasion of privacy, but I'm sure we signed stuff in waivers."

Finally, the hacker called Stryde got hold of the malware installed on the students' laptops and started reverse engineering it to document how it worked. In so doing he discovered that Michael Perbix, system administrator of the high school, has been documenting much of his work with the school laptops in his blog (posts have been captured offline; if necessary I'll post my mirrors of it here), including how to turn the Macbook webcam on and off remotely. The surveillance software used by the district, called LanREV by Absolute Software can be browsed on the local network with Bonjour and accessed remotely without having to authenticate to it. You really should check out Stryde's writeups, they're not overly technical but highly informative, and if you're using someone else's box you really need to know what all the risks are.

If you can't control whether or not something is turned on, disconnect it or blind it. Software can't reconnect a battery or pull off a sticky note. Take nothing at face value; read the fine print before you sign anything.